77
edits
Changes
IPSec Tunnel w/CA Certs Configuration (view source)
Revision as of 16:16, 25 June 2024
, Tuesday at 16:16no edit summary
* Two RUTxxx routers of any type
* Two RUTxxx routers of any type
* Both RUTxxx routers must be accessible from each other's WAN connection
* Both RUTxxx routers must be accessible from each other's WAN connection
* (Optional) A second end device to configure and test remote LAN access
* Firmware for the devices must be 00.07.xx.x or above. This is in part to make sure the StrongSwan service is U5.9.6 or >
* An end device (PC, Laptop) for configuration
* (Optional) A second end device to test remote LAN access
----
----
[Image Here showing RUT1 & RUT2 connected via Wan connection]
[Image Here showing RUT1 & RUT2 connected via Wan connection]
[RUT1 Wan IP: 10.0.5.1 Lan IP: 192.168.1.1]
[RUT1 Wan IP: 192.168.1.3 Lan IP: 192.168.3.1]
[RUT2 Wan IP: 10.0.5.2 Lan IP: 192.168.2.1]
[RUT2 Wan IP: 192.168.1.14 Lan IP: 192.168.14.1]
The figure above depicts two RUTxxx routers (RUT1 and RUT2) connected by an IPsec tunnel via their WAN interfaces.
The figure above depicts two RUTxxx routers (RUT1 and RUT2) connected by an IPsec tunnel via their WAN interfaces.
* Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager'''
* Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager'''
* Download CAIPSec.cert.pem, RUT2.cert.pem & RUT2.key.pem
* Download CAIPSec.cert.pem, RUT1.cert.pem, RUT1.key.pem, RUT2.cert.pem & RUT2.key.pem
* Go to '''System → Administration → Certificates -> Root CA'''. Toggle `On`. Select `CAIPSec.cert.pem` -> `Upload` & then `Save`
Next moving to RUT2
Next moving to RUT2
* Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager'''
* Login to the router's WebUI and go to '''System → Administration → Certificates -> Certificates Manager'''
* Import Certificate File *Browse* and import CAIPSec.cert.pem, RUT2.cert.pem & RUT2.key.pem
* Import Certificate File *Browse* and import CAIPSec.cert.pem, RUT1.cert.pem, RUT2.cert.pem & RUT2.key.pem
* Go to '''System → Administration → Certificates -> Root CA'''. Toggle `On`. Select `CAIPSec.cert.pem` -> `Upload` & then `Save`
===IPSec RUT1 Config===
===IPSec RUT1 Config===
----
----
* Login to the router's WebUI and go to '''System → Services → VPN -> IPsec'''
* Add a new instance called `CA_EX`
[Screenshot Here]
* IPsec Instance General settings configuration as follows:
- Remote endpoint: `192.168.1.14` // This should be RUT2 WAN IP. You should be able to ping this IP from RUT1 WAN IP.
- Authentication method: `X.509`
- Key: `RUT1.key.pem` // Browse and import the RUT1.key.pem we created & downloaded earlier.
- Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps.
- Local certificate: `RUT1.cert.pem` // Browse and import the RUT1.cert.pem we created & downloaded earlier.
- CA certificate: `CAIPSec.cert.pem` // Browse and import the CAIPSec.cert.pem we created & downloaded earlier.
- Local identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier
- Remote identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier
[Screenshot Here]
* Connection settings Advanced settings configuration as follows:
- Remote certificate: `RUT2.cert.pem` // Upload RUT2 cert we created earlier.
* Connection settings General settings configuration as follows:
- Mode: `Start` // start loads a connection and brings
it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection)
- Type: `Tunnel`
- Default route: `off` // Only use this if you want your default route to be out this tunnel.
- Local subnet: `192.168.3.0/24` // RUT1 LAN subnet we want access to through the tunnel
- Remote subnet: `192.168.14.0/24` // RUT2 LAN subnet we want access to through the tunnel
- Key exchange: `IKEv2`
[Screenshot Here]
* Connection settings Advanced settings configuration as follows:
- Force encapsulation: `On`
- Local Firewall: `On`
- Remote Firewall: `On`
- Inactivity: `3600` // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing.
- Dead peer detection: `On`
- DPD action: `Restart`
- DPD delay: `30` // This is in seconds.
- DPD Timeout: `150` // This is in seconds.
- The rest of the configuration leave as default
[Screenshot Here]
* Connection settings Proposal settings configuration as follows:
* Phase 1
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
- Encryption: `AES 128`
- Authentication: `SHA1`
- DH group: `MODP1536`
- Force crypto proposal: `Off`
- IKE lifetime: `3h`
[Screenshot Here]
* Phase 2
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
- Encryption: `AES 128`
- Hash: `SHA1`
- PFS group: `MODP1536`
- Force crypto proposal: `Off`
- IKE lifetime: `3h`
[Screenshot Here]
* Hit 'Save & Apply'
* Toggle the CA_EX tunnel on and hit 'Save & Apply' once more
[Screenshot Here]
* Reboot the device once you have finished.
===IPSec RUT2 Config===
===IPSec RUT2 Config===
----
* Login to the router's WebUI and go to '''System → Services → VPN -> IPsec'''
* Add a new instance called `CA_EX`
[Screenshot Here]
* IPsec Instance General settings configuration as follows:
- Remote endpoint: `192.168.1.3` // This should be RUT1 WAN IP. You should be able to ping this IP from RUT2 WAN IP.
- Authentication method: `X.509`
- Key: `RUT2.key.pem` // Browse and import the RUT2.key.pem we created & downloaded earlier.
- Key decryption passphrase: Leave blank // This is only needed if an additional password was added to the cert, which we did not do in our earlier steps.
- Local certificate: `RUT2.cert.pem` // Browse and import the RUT1.cert.pem we created & downloaded earlier.
- CA certificate: `CAIPSec.cert.pem` // Browse and import the CAIPSec.cert.pem we created & downloaded earlier.
- Local identifier: `192.168.14.1` // We will use the LAN IP of RUT2 for the Identifier
- Remote identifier: `192.168.3.1` // We will use the LAN IP of RUT1 for the Identifier
[Screenshot Here]
* Connection settings Advanced settings configuration as follows:
- Remote certificate: `RUT1.cert.pem` // Upload RUT1 cert we created earlier.
* Connection settings General settings configuration as follows:
- Mode: `Start` // start loads a connection and brings
it up immediately. For more configuration information please reference *auto* here (https://wiki.strongswan.org/projects/strongswan/wiki/Connsection)
- Type: `Tunnel`
- Default route: `off` // Only use this if you want your default route to be out this tunnel.
- Local subnet: `192.168.14.0/24` // RUT2 LAN subnet we want access to through the tunnel
- Remote subnet: `192.168.3.0/24` // RUT1 LAN subnet we want access to through the tunnel
- Key exchange: `IKEv2`
[Screenshot Here]
* Connection settings Advanced settings configuration as follows:
- Force encapsulation: `On`
- Local Firewall: `On`
- Remote Firewall: `On`
- Inactivity: `3600` // This is in seconds. Can be changed depending on how often you want the tunnel to be checked for data passing.
- Dead peer detection: `On`
- DPD action: `Restart`
- DPD delay: `30` // This is in seconds.
- DPD Timeout: `150` // This is in seconds.
- The rest of the configuration leave as default
[Screenshot Here]
* Connection settings Proposal settings configuration as follows:
* Phase 1
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
- Encryption: `AES 128`
- Authentication: `SHA1`
- DH group: `MODP1536`
- Force crypto proposal: `Off`
- IKE lifetime: `3h`
[Screenshot Here]
* Phase 2
- Proposals // It is VERY important that these settings match between both RUT1 & RUT2
- Encryption: `AES 128`
- Hash: `SHA1`
- PFS group: `MODP1536`
- Force crypto proposal: `Off`
- IKE lifetime: `3h`
[Screenshot Here]
* Hit 'Save & Apply'
* Toggle the CA_EX tunnel on and hit 'Save & Apply' once more
[Screenshot Here]
* Reboot the device once you have finished.
==Testing configuration==
----
Here we will check via SSH on both RUT1 & RUT2 devices that the IPsec tunnel has been established.
That each RUT device can ping the other's LAN IP. In this case 192.168.3.1 for RUT1 & 192.168.14.1 for RUT2.
And that LAN device on RUT1 can ping LAN device on RUT2.
===RUT1 to RUT2 Test===
----
* First make sure each device has been rebooted at least once after you have finished configuring the previous steps.
* SSH into RUT1 device.
* `ipsec statusall` // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier.
[Screenshot Here]
* `ping 192.168.14.1` // You should get a response if the tunnel has established properly.
[Screenshot Here]
* SSH into RUT2 device.
* `ipsec statusall` // This should show 2 up with Security Associations and that the connection should be up for some minutes. You should also see the Cert info from the certs we created earlier.
[Screenshot Here]
* `ping 192.168.3.1` // You should get a response if the tunnel has established properly.
[Screenshot Here]
===RUT1 LAN device to RUT2 LAN device Test===
----
----
